Trivy Supply Chain Attack Spreads Infostealer via Docker, Fuels CanisterWorm and Kubernetes Wiper Attacks
Cybersecurity researchers have uncovered a widening supply-chain attack centered on Trivy, the widely used open-source vulnerability scanner, after threat actors pushed trojanized container images to Docker Hub and used the resulting credential theft to fan out into npm compromises, backdoor deployments, and destructive Kubernetes wiper activity.
The latest findings show that the blast radius did not stop with malicious Trivy releases. Researchers say the campaign, attributed to TeamPCP, used a compromised Aqua Security credential to publish tainted artifacts, steal secrets from developer and CI/CD environments, deface internal repositories, and launch follow-on attacks that included the self-propagating CanisterWorm and a payload capable of wiping Iranian Kubernetes clusters.
The last known clean Trivy image on Docker Hub is 0.69.3. The malicious tags 0.69.4, 0.69.5, and 0.69.6 were later removed, and a Trivy maintainer said 0.69.4 was never legitimately released, meaning any appearance of that version should be treated as malicious. GitHub discussion posts tied to the incident also indicate Docker images published to Docker Hub, GHCR, and Aqua’s ECR gallery were considered compromised during the incident window.
According to reporting on the incident, new Trivy image tags 0.69.5 and 0.69.6 were pushed on March 22 without matching GitHub releases or tags, and both carried indicators linked to the same TeamPCP infostealer seen in earlier stages of the campaign. The compromise follows earlier abuse of the Trivy ecosystem, including the aquasecurity/trivy-action and aquasecurity/setup-trivy GitHub Actions.
The details of the attack chain are below -
- Trojanized Trivy images 0.69.4 through 0.69.6 were published to Docker Hub and later removed after detection.
- A compromised Argon-DevOps-Mgt service account token was allegedly used to deface 44 internal Aqua Security repositories in a brief scripted burst, renaming them with a
tpcp-docs-prefix and exposing them publicly. - Researchers assessed that stolen credentials from the Trivy compromise enabled downstream supply-chain abuse, including the infection of dozens of npm packages with the self-propagating CanisterWorm.
- Later-stage TeamPCP payloads were found stealing credentials, installing backdoors disguised as PostgreSQL-related services, and deploying privileged Kubernetes DaemonSets that either backdoored hosts or wiped Iranian nodes.
- The latest variant added SSH-based spread using stolen keys and Docker API exploitation on port 2375, enabling lateral movement across local subnets.
One of the most striking elements of the campaign is how quickly it evolved from supply-chain poisoning into cloud-native destructive behavior. Aikido Security said the later payload checks whether it is running inside Kubernetes and whether the host appears to be Iranian based on timezone and locale signals such as Asia/Tehran, Iran, or fa_IR.
If the malware determines it is running in Kubernetes on an Iranian system, it deploys a privileged DaemonSet named host-provisioner-iran in the kube-system namespace. The container inside it, named kamikaze, mounts the host root filesystem, deletes data, and triggers a forced reboot across nodes, including control-plane systems because the DaemonSet uses broad tolerations. On non-Iranian Kubernetes targets, it instead deploys a DaemonSet called host-provisioner-std that installs the CanisterWorm backdoor as a systemd service on each node.
For non-Kubernetes Iranian hosts, the campaign takes a cruder but still destructive route, attempting to wipe the system. Aikido later reported an updated variant that standardized on a find / -maxdepth 1 ... rm -rf approach followed by reboot -f, replacing earlier logic that used rm -rf / --no-preserve-root for some non-Kubernetes targets.
The backdoor path is no less concerning. Researchers said the implanted malware polls an ICP canister on the Internet Computer blockchain as a dead-drop resolver for command-and-control instructions, downloads binaries on command, and disguises persistence using names like internal-monitor, pgmonitor, and related PostgreSQL-themed filenames and service descriptions.
Socket and other researchers described the broader incident as evidence of the long tail of supply-chain attacks. In this case, a credential allegedly harvested during the Trivy GitHub Actions compromise was later weaponized to reach internal development assets and public package ecosystems. That progression matters because it turns a single CI/CD foothold into a multi-stage campaign with consequences for containers, source control, npm consumers, and Kubernetes environments.
The compromise of Aqua Security’s internal repositories was also unusually visible. Reporting says all 44 repositories under the affected internal GitHub organization were modified in roughly a two-minute burst between 20:31:07 UTC and 20:32:26 UTC on March 22, 2026, suggesting scripted abuse of a bot or service account rather than manual intrusion activity.
Researchers further observed that the newest TeamPCP variant no longer relies solely on Kubernetes to spread. Instead, it harvests SSH keys such as id_rsa, id_ed25519, and id_ecdsa, parses authentication logs for successful login pairs, scans the local /24 subnet, and then attempts lateral movement over SSH and unauthenticated Docker APIs on port 2375. That means developer machines, CI runners, and cloud workloads with weak segmentation or exposed local management interfaces could all become stepping stones.
The broader lesson for defenders is that this is no longer just a “bad package” incident. It is a chained compromise that blends supply-chain poisoning, secret theft, service account abuse, worm propagation, cloud-native persistence, and targeted destruction. Organizations that recently pulled or executed affected Trivy builds should assume the possibility of credential exposure and review both developer and runtime environments accordingly.
Defenders should avoid the affected Trivy versions in CI/CD, review recent Trivy executions, inspect for unauthorized GitHub Actions use, rotate any exposed or long-lived service account tokens, audit npm dependencies for suspicious package updates, and hunt for Kubernetes DaemonSets such as host-provisioner-iran and host-provisioner-std. Hosts should also be checked for suspicious services and files such as internal-monitor, pgmonitor, /var/lib/svc_internal/runner.py, /var/lib/pgmon/pgmon.py, and unexpected outbound traffic to icp0 or temporary Cloudflare tunnel domains.
Reference Links and Sources
